Security threat

A new report by Deloitte sheds light on a new vulnerability within oil and gas – cyber-attacks. Elaine Maslin reports.

Image from iStock.

The oil and gas industry is often accused of being behind the times, when it comes to adoption of automation, digitalization, and IoT (internet of things) technology.

While smart phones have become an everyday item, offering seamless cloud connectivity, access to countless services, including analytics, alongside live, data-based satellite navigation and even fitness and sleep tracking, oil and gas firms are accused of conducting their major operational processes in unconnected islands of activity, with manual order entry and inventory tracking and operational data that never reaches the echelons of enterprise level use.

The new world of collaborative decision making, fueled by field data recorded by sensor-enabled smart machines and gauges, is coming, and must come, says Paul Zonneveld, Global Energy & Resources Risk Advisory Leader, at business consultancy Deloitte. “Digitalization of oil and gas is critical,” he says. “It’s the No. 1 business opportunity, to take the next step and be sustainable.”

The risk now is that the industry might be digitalizing too quickly, without enough focus on security to prevent cyber-attacks, says Deloitte.

“It’s probably our No. 1, 2 and 3 focus right now, given where the industry is and the issues the industry is trying to face,” says Zonneveld. In short, industry “interconnectedness has outpaced its cyber maturity, making it a prime target,” says Deloitte University Press’ (DUP) report Protecting the connected barrels.

According to Deloitte, energy was the industry second most prone to cyber-attacks in 2016, with nearly 75% of US oil and gas companies experiencing at least one cyber-attack. Yet, cyber breaches are not listed by those same firms as a major risk, lumping it together with risks such as civil unrest, labor disputes and weather disruptions.

As if to underline DUP’s concerns, just days after its report was released, the Petya ransomware virus struck, hitting, among others, Russian oil major Rosneft and A.P. Moller Maersk, which owns Maersk Drilling and Maersk Oil, alongside global advertising house WPP and Ukranian government systems.

Part of the problem is that the industry has a “large attack surface and many attack vectors,” i.e. there are lots of people, companies and systems (many dating back decades) involved, which could all offer access points to hackers. Decisions about industrial control system software are often made at the field or unit level, resulting in products from different solution providers, based on different technologies, and with different IT security standards.

Meanwhile, intelligent instrumentation at a field level—devices that can self-process, analyze, and act upon data closer to operations— are taking cyber risks into the front line of upstream operations, says the report.

Security concerns can also be outweighed by safety concerns, i.e. in a drilling room where engineers fear that stringent IT security measures could introduce unacceptable latency into time-critical control systems.

Yet, “If a cyber attacker were to manipulate the cement slurry data coming out of an offshore development well, black out monitors’ live views of offshore drilling, or delay the well-flow data required for blowout preventers to stop the eruption of fluids, the impact could be devastating,” says the DUP report.

How big is the risk?

While we hear about cyber-attacks on the banking or other industries, which are by their very nature more public, less is heard about attacks on oil and gas firms. “Don’t be comforted by not having seen a lot publicized,” says Zonneveld. “In the last year, we have seen phishing attacks [on upstream firms] growing exponentially.

“These are people in nation states or groups trying to break in to organizations to find what they can get. We are seeing a lot more attempts. When it hits the corporate side there’s a lot of technology to prevent it happening. But, the maturity and who owns and controls offshore facilities, which procured their own internet access, and engage with engineering contractors that have remote access to technology corporate doesn’t even know about, and that represents a back door. Many have very porous profiles and security is non-existent.”

This means a hacker could access a SCADA system, change a parameter – and in all likelihood not actually know what it is they’re changing – and cause a system shutdown. This is happening, a lot, says Zonneveld. “We see this as one of the emerging areas of threat.”

Some areas of the upstream business are more at risk than others, however. According to the DUP report, production has the highest cyber risk profile, followed by development well drilling and then seismic imaging.

Risk profiles

Production operations rank the highest in terms of cyber vulnerability, mainly because of its legacy asset base, “which was not built for cybersecurity, but has been retrofitted and patched in bits and pieces over the years, and lack of monitoring tools on existing networks,” says the DUP report. About 42% of offshore facilities worldwide have been operational for more than 15 years, fewer than half of oil and gas companies use monitoring tools on their networks, and of those companies that have these tools, only 14% have fully operational security monitoring centers, according to the report.

This situation is then magnified by the expansive operating environment and the changed role of instrument vendors from system suppliers to system aggregators. “A large US oil and gas company has more than 25,000 producing wells, and each well has a diverse set of industrial control systems—from sensors in boreholes, to programmable logic controllers on a well, to SCADA systems in local control centers—purchased from a number of vendors with different maintenance schedules and connected using off-the-shelf technologies,” says the report.

On top of these are loosely coupled but nonetheless integrated industrial control systems, which are increasingly connected with a company’s enterprise resource planning systems. “With 75% of global oil and gas production controlled by resource planning systems, this part of the value chain faces cyber risks both from the top (IT systems) and bottom (hardcore legacy operation technology systems in the field),” says the DUP report. “Thus, the consequence of a cyber-attack on oil and gas production could be severe, promptly affecting both the top and bottom lines.”

There’s also a gap when it comes to the perception of risk in different parts of the business, with the production side maybe not having the same discipline as a CTO, says Zonneveld.

Development drilling has a high cyber-attack vector, “due to higher drilling activity, expansive infrastructure and services, both above and below the surface, and a complex ecosystem of engineering firms, equipment and material suppliers, drillers and service firms, partners, and consultants,” says the DUP report.

It’s a challenge to align all involved to a single cybersecurity protocol. Existing drilling and computer systems were designed around the theory of an isolated network—in the belief that hundreds of miles of ocean would be good enough defense. Real-time operations centers, with live access to the rig, and even linking geoscience and engineering databases, have changed that. Even automating pipe-lifting and stand building is making everything even more interconnected. Opensource, vendor-neutral data protocols (eg. Wellsite Information Transfer Standard for Markup Language, or WITSML) could now also make well data comprehensible to hackers.

The DUP report says that while field development planning and well completions have relatively lower cyber risk profiles, the well completion process has a high probability of slipping into the high-risk cyber zone, as smart wells take hold, with real-time monitoring connected to advanced analytical software.

Seismic imaging has the lowest risk because geological and geophysical surveys have a closed data acquisition system and a fairly simple ecosystem of vendors (the top three geophysical vendors control 50 to 60% of the market and provide a complete suite of offerings). An attack would cause less damage – to health and the environment – than an attack on a well might.

Mitigation

The good news is that there haven’t been any catastrophic events so far. “Early on, when smart engineers designed these systems, they designed them to be fail safe,” says Zonneveld. Which means they shut down if they start operating outside an operating range. “The industry also has safety as a priority,” he says, “and where cyber becomes a threat to safety, people pay attention, and they are.” Senior management are also taking the issue more seriously, he says, and developing a better understanding of what the risks are.

What can they do? Some of it is about company culture – spreading awareness about phishing campaigns, making people think twice about opening an email, says Zonneveld.

Testing new equipment before it is deployed, can reduce risk in the drilling segment. Running cyber scans on cloned SCADA and other specific systems rather than on actuals (avoiding interrupting drilling operations direct), and by searching for anomalies against a ‘baseline of normal’ using both physics and non-physics-based data, can help companies detect breaches before they reach their target, says the DUP report.

A risk-based approach, rather than only following the scheduled or compliance-based approach, could also be taken, based on a detailed vulnerability/severity assessment for each asset, and prioritizing and scheduling updates promptly for critical assets. Replacing legacy devices with wholly new purpose-built hardware rather than retrofitting, could also improve resilience.

The DUP report also suggests companies practice responding to an attack, through cyber war-gaming and simulations, especially with people involved in responding to incidents offshore or working in remote locations, to aid better understanding of threats and improve cyber judgment at all levels.

“It’s not just a project,” however, Zonneveld says. “It’s a process that needs building in to management system philosophies.”